Systweak Spyware Library
Systweak Spyware Library text
More than 1126248 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Worm.Viking.jk Analysis Report
Threat Submitted On: 7/13/2007 10:44:07 AM
Threat Analysed On: 7/13/2007 3:44:07 PM
Threat Updated On: 10/8/2009 3:31:31 AM
Type : Worm
Symptoms of Viking.jk
  • Replicates itself and spreads to the other computers of the network.
  • Installed by executing the scripts from infected e-mail attachments or messages.
Information
Alias : Worm.Win32.Viking.jk
Md5 Hash : [305e7637fd3e2e20bde177d955e9bd7e]
File Size : (73557 bytes)

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: 7575_appcompat.txt
Path : %temp%
Md5Hash :2a29bda998956d5c99e72c50444a472c ( 2584 bytes)
File: f08f_appcompat.txt
Path : %temp%
Md5Hash :7b8abe3827eacd50595dd7fa3165bace ( 2582 bytes)
File: [randomname].exe
Path : %workingdir%
Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
5ffffc4443a1146fd1261a50d069f42e ( 188249 bytes)
70df1b868b09c4f9b4866e77c8cb4633 ( 73559 bytes)
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : 38742.dmp
Path : %temp%
Md5Hash :d41d8cd98f00b204e9800998ecf8427e ( 0 bytes)
File : 42dd3.dmp
Path : %temp%
Md5Hash :d41d8cd98f00b204e9800998ecf8427e ( 0 bytes)
Creates the following child process(s) on execution:

net stop kingsoft antivirus service

net1 stop kingsoft antivirus service

services.exe

%windir%\explorer.exe

%windir%\system32\dumprep.exe 1160 -dm 7 7 %systemdrive%\docume~1\testing\locals~1\temp\wer1610.dir00\explorer.exe.mdmp 16325836412029320

%windir%\system32\dumprep.exe 1160 -dm 7 7 %systemdrive%\docume~1\testing\locals~1\temp\wer1610.dir00\explorer.exe.hdmp 16325836412029332

%windir%\system32\rundll32.exe %windir%\system32\sysdm.cpl,noexecuteprocessexception %windir%\explorer.exe

Creates the Following MUTEX(s) on user's System:-
virus_asmaping_xzasdwrttyeewd82473m
Copies the Following Files to Given Location :-

Copies :%workingdir%\[random name].exe

To : \10.10.10.22\admin$\305e7637fd3e2e20bde177d955e9bd7e.exe

Copies :%workingdir%\[random name].exe

To : \10.10.10.24\admin$\305e7637fd3e2e20bde177d955e9bd7e.exe

Copies :%workingdir%\[random name].exe

To : \10.10.10.25\admin$\305e7637fd3e2e20bde177d955e9bd7e.exe

Copies :%workingdir%\[random name].exe

To : \10.10.10.26\admin$\305e7637fd3e2e20bde177d955e9bd7e.exe

Copies :%workingdir%\[random name].exe

To : \10.10.10.27\admin$\305e7637fd3e2e20bde177d955e9bd7e.exe

Moves the Following Files to Given Location :-
Moves :%programfiles%\amd\athlon 64 processor driver\amdcon.exe.exe
To : %programfiles%\amd\athlon 64 processor driver\amdcon.exe
Moves :%programfiles%\google\googletoolbar2user.exe.exe
To : %programfiles%\google\googletoolbar2user.exe
Moves :%programfiles%\google\common\google updater\googleupdaterservice.exe.exe
To : %programfiles%\google\common\google updater\googleupdaterservice.exe
Moves :%programfiles%\malicious software removal tool\kb890830-enu.exe.exe
To : %programfiles%\malicious software removal tool\kb890830-enu.exe
Moves :%programfiles%\realvnc\vnc4\unins000.exe.exe
To : %programfiles%\realvnc\vnc4\unins000.exe
Moves :%programfiles%\realvnc\vnc4\vncconfig.exe.exe
To : %programfiles%\realvnc\vnc4\vncconfig.exe
Moves :%programfiles%\realvnc\vnc4\vncviewer.exe.exe
To : %programfiles%\realvnc\vnc4\vncviewer.exe
Moves :%programfiles%\windows journal viewer\jntview.exe.exe
To : %programfiles%\windows journal viewer\jntview.exe
Moves :%systemdrive%\recycler\s-1-5-21-1844237615-308236825-725345543-1005\dc1.exe.exe
To : %systemdrive%\recycler\s-1-5-21-1844237615-308236825-725345543-1005\dc1.exe

NOTE:

1. %temp% Refers to the windows temp folder. By default it is 'C:\Documents and Settings\[user]\Local Settings\Temp'
2. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.

Microsoft Gold Certified Partner

© Systweak Inc., 1999-2009 All rights reserved.